Authors: Gadi EvronTags: fuzzingEvent: Chaos Communication Congress 23th (23C3) 2006Abstract: We will discuss fuzzing uses by software vendors and in the corporate world, for security auditing ("fuzzing before release") and third party testing ("fuzzing before purchase"). We will look at what contributed to this change in the use of fuzzing tools from home-grown hacking tools to commercial products, as well as how these organizations implement fuzzing into their development cycle. Fuzzing has been used for a long time in the hacker scene. Mostly, these tools have been home-grown. In the recent year, several commercial fuzzing tools appeared. These in turn are now utilized by organizations in the development cycle under the moto of "fuzzing before release", or "find the vulnerability before hackers do". Another interesting and somewhat unexpected development in the field is that end-clients are the largest consumers of advanced fuzzing technology, performing tests on software before purchase. Further, some large telcos and financial institutions now demand for products to be certified (even if not by an official seal) by fuzzing products which they authorize. Is fuzzing finally a solution to reduce vulnerabilities in products rather than just later discover them? How is it used by these corporations and third-party organizations? Some methodologies as well as examples will be presented, and we will also try to look into what the future holds.

Authors: David HultonTags: FPGAEvent: Chaos Communication Congress 23th (23C3) 2006Abstract: This talk will go in depth into methods for breaking crypto faster using FPGAs. FPGA's are chips that have millions of gates that can be programmed and connected arbitrarily to perform any sort of task. Their inherent structure provides a perfect environment for running a variety of crypto algorithms and do so at speeds much faster than a conventional PC. A hand full of new FPGA crypto projects will be presented and will demonstrate how many algorithms can be broken much faster than people really think, and in most cases extremely inexpensively. Breaking WPA-PSK is possible with coWPAtty, but trying to do so onsite can be time consuming and boring. All that waiting around for things to be computed each and every time we want to check for dumb and default passwords. Well, we're impatient and like to know the password NOW! Josh Wright has recently added support for precomputed tables to coWPAtty -- but how do you create a good set of tables and not have it take 70 billion years? David Hulton has implemented the time consuming PBKDF2 step of WPA-PSK on FPGA hardware and optimized it to run at blazing speeds specifically for cracking WPA-PSK and generating tables with coWPAtty. What about those lusers that still use WEP? Have you only collected a few hundred interesting packets and don't want to wait till the universe implodes to crack your neighbors key? Johnycsh and David Hulton have come up with a method to offload cracking keyspaces to an FPGA and increasing the speed considerably. Lanman hashes have been broken for a long time and everyone knows it's faster to do a rainbowtable lookup than go through the whole keyspace. On many PC's it takes years to go through the entire typeable range, but on a small cluster of FPGAs, you can brute force that range faster than doing a rainbowtable lookup. The code for this will be briefly presented and Chipper v2.0 will be released with many new features. David Hulton will also discuss some of the aspects of algorithms that make them suitable for acceleration on FPGAs and the reasons why they run faster in hardware and touch on some future projects such as optimizations for attacking RSA and other difficult crypto algorithms.

Authors: Constanze KurzRoland KubicaTags: biometriccinemaEvent: Chaos Communication Congress 23th (23C3) 2006Abstract: It is a buzzword at the moment: biometrics. Everyone is talking about it and consumers are buying laptops with shiny finger print scanners. This talk will take a look at biometrics in science fiction films. In reality, biometric systems often don't work. In the movies, we can see what those recognition systems will look like and how they will work in the future. You can have your eyeball or face scanned and then you can easily walk through high security gates. The biometric system works flawlessly - until your eyeball gets stolen. Thanks to the movies, we also know biometric scanners are easy to defeat. We will witness movies where the nifty biometric security software is tricked. We will show short film scenes of appr. fifty movies and comment them.

Authors: David HultonTags: FPGAEvent: Chaos Communication Congress 23th (23C3) 2006Abstract: This talk will go in depth into methods for breaking crypto faster using FPGAs. FPGA's are chips that have millions of gates that can be programmed and connected arbitrarily to perform any sort of task. Their inherent structure provides a perfect environment for running a variety of crypto algorithms and do so at speeds much faster than a conventional PC. A hand full of new FPGA crypto projects will be presented and will demonstrate how many algorithms can be broken much faster than people really think, and in most cases extremely inexpensively. Breaking WPA-PSK is possible with coWPAtty, but trying to do so onsite can be time consuming and boring. All that waiting around for things to be computed each and every time we want to check for dumb and default passwords. Well, we're impatient and like to know the password NOW! Josh Wright has recently added support for precomputed tables to coWPAtty -- but how do you create a good set of tables and not have it take 70 billion years? David Hulton has implemented the time consuming PBKDF2 step of WPA-PSK on FPGA hardware and optimized it to run at blazing speeds specifically for cracking WPA-PSK and generating tables with coWPAtty. What about those lusers that still use WEP? Have you only collected a few hundred interesting packets and don't want to wait till the universe implodes to crack your neighbors key? Johnycsh and David Hulton have come up with a method to offload cracking keyspaces to an FPGA and increasing the speed considerably. Lanman hashes have been broken for a long time and everyone knows it's faster to do a rainbowtable lookup than go through the whole keyspace. On many PC's it takes years to go through the entire typeable range, but on a small cluster of FPGAs, you can brute force that range faster than doing a rainbowtable lookup. The code for this will be briefly presented and Chipper v2.0 will be released with many new features. David Hulton will also discuss some of the aspects of algorithms that make them suitable for acceleration on FPGAs and the reasons why they run faster in hardware and touch on some future projects such as optimizations for attacking RSA and other difficult crypto algorithms.

Authors: Constanze KurzRoland KubicaTags: biometriccinemaEvent: Chaos Communication Congress 23th (23C3) 2006Abstract: It is a buzzword at the moment: biometrics. Everyone is talking about it and consumers are buying laptops with shiny finger print scanners. This talk will take a look at biometrics in science fiction films. In reality, biometric systems often don't work. In the movies, we can see what those recognition systems will look like and how they will work in the future. You can have your eyeball or face scanned and then you can easily walk through high security gates. The biometric system works flawlessly - until your eyeball gets stolen. Thanks to the movies, we also know biometric scanners are easy to defeat. We will witness movies where the nifty biometric security software is tricked. We will show short film scenes of appr. fifty movies and comment them.

Authors: Frank KarglTags: networkEvent: Chaos Communication Congress 23th (23C3) 2006Abstract: Vehicle communication is a major research topic, covered by many national and international research projects. Applications promise to make our driving safer, more efficient, and more fun. The talk presents applications, technology, and also addresses security and privacy issues. The talk will first introduce the concept of vehicle communication. Vehicles can communicate with each other to form so called Vehicular Ad-hoc Networks (VANETs) or with road-side units that allow access to backend systems that provide warnings, traffic information, etc. Next, there will be a presentation of potential applications to motivate the need for such communication. This includes warning applications, e.g. cars can send warning messages to other cars including their exact position warning them of the danger ahead. As cars receiving such messages will forward them also to other cars, they form a multi-hop ad-hoc network. Other applications can warn cars about dangerous road conditions, increase traffic efficiency at intersections or on highways or may simply be used to send e.g. text messages between cars (did you ever wanted to tell the driver in front of you your oppinion regarding his driving style?;-) The talk will also cover technical details like position-based routing used in such networks or message dissemination protocols. It is evident that such systems will also introduce new dangers to security and privacy. Sending e.g. faked warning messages may affect traffic and recording the position information of cars severly affects the privacy of drivers. The speaker is member of the pan-european research project SEVECOM that especially addresses the security and privacy needs in car communication. He will present some results from the that project, describing security requirements, potential attackes, and first ideas for security and privacy mechanisms.

Secunia Security Advisory - Gentoo has issued an update for Config-IniFiles. This fixes a security issue, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

Secunia Security Advisory - Gentoo has issued an update for puppet. This fixes multiple security issues and two vulnerabilities, which can be exploited by malicious, local users to disclose potentially sensitive information and perform certain actions with escalated privileges and by malicious users to cause a DoS (Denial of Service).

Secunia Security Advisory - Debian has issued an update for python-django. This fixes two security issues and a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks and cause a DoS (Denial of Service).

HP Security Bulletin HPSBMU02803 SSRT100926 - A potential security vulnerability has been identified with HP Service Manager and HP Service Center Web Tier. The vulnerability could be remotely exploited resulting in cross site scripting (XSS). Revision 1 of this advisory.

HP Security Bulletin HPSBMU02803 SSRT100926 - A potential security vulnerability has been identified with HP Service Manager and HP Service Center Web Tier. The vulnerability could be remotely exploited resulting in cross site scripting (XSS). Revision 1 of this advisory.

HP Security Bulletin HPSBMU02803 SSRT100926 - A potential security vulnerability has been identified with HP Service Manager and HP Service Center Web Tier. The vulnerability could be remotely exploited resulting in cross site scripting (XSS). Revision 1 of this advisory.

HP Security Bulletin HPSBMU02800 SSRT100921 - A potential security vulnerability has been identified with HP Service Manager and HP Service Center Server. The vulnerability could be remotely exploited resulting in a Denial of Service (DoS). Revision 1 of this advisory.

HP Security Bulletin HPSBMU02800 SSRT100921 - A potential security vulnerability has been identified with HP Service Manager and HP Service Center Server. The vulnerability could be remotely exploited resulting in a Denial of Service (DoS). Revision 1 of this advisory.

HP Security Bulletin HPSBMU02800 SSRT100921 - A potential security vulnerability has been identified with HP Service Manager and HP Service Center Server. The vulnerability could be remotely exploited resulting in a Denial of Service (DoS). Revision 1 of this advisory.

Ubuntu Security Notice 1539-1 - An error was discovered in the Linux kernel's network TUN/TAP device implementation. A local user with access to the TUN/TAP interface (which is not available to unprivileged users until granted by a root user) could exploit this flaw to crash the system or potential gain administrative privileges. Ulrich Obergfell discovered an error in the Linux kernel's memory management subsystem on 32 bit PAE systems with more than 4GB of memory installed. A local unprivileged user could exploit this flaw to crash the system. Various other issues were also addressed.

Ubuntu Security Notice 1539-1 - An error was discovered in the Linux kernel's network TUN/TAP device implementation. A local user with access to the TUN/TAP interface (which is not available to unprivileged users until granted by a root user) could exploit this flaw to crash the system or potential gain administrative privileges. Ulrich Obergfell discovered an error in the Linux kernel's memory management subsystem on 32 bit PAE systems with more than 4GB of memory installed. A local unprivileged user could exploit this flaw to crash the system. Various other issues were also addressed.

Ubuntu Security Notice 1539-1 - An error was discovered in the Linux kernel's network TUN/TAP device implementation. A local user with access to the TUN/TAP interface (which is not available to unprivileged users until granted by a root user) could exploit this flaw to crash the system or potential gain administrative privileges. Ulrich Obergfell discovered an error in the Linux kernel's memory management subsystem on 32 bit PAE systems with more than 4GB of memory installed. A local unprivileged user could exploit this flaw to crash the system. Various other issues were also addressed.

Ubuntu Security Notice 1538-1 - An error was discovered in the Linux kernel's network TUN/TAP device implementation. A local user with access to the TUN/TAP interface (which is not available to unprivileged users until granted by a root user) could exploit this flaw to crash the system or potential gain administrative privileges. A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service. Various other issues were also addressed.

Ubuntu Security Notice 1538-1 - An error was discovered in the Linux kernel's network TUN/TAP device implementation. A local user with access to the TUN/TAP interface (which is not available to unprivileged users until granted by a root user) could exploit this flaw to crash the system or potential gain administrative privileges. A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service. Various other issues were also addressed.

Ubuntu Security Notice 1538-1 - An error was discovered in the Linux kernel's network TUN/TAP device implementation. A local user with access to the TUN/TAP interface (which is not available to unprivileged users until granted by a root user) could exploit this flaw to crash the system or potential gain administrative privileges. A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service. Various other issues were also addressed.

Red Hat Security Advisory 2012-1169-01 - Condor is a specialized workload management system for compute-intensive jobs. It provides a job queuing mechanism, scheduling policy, priority scheme, and resource monitoring and management. Condor installations that rely solely upon host-based authentication were vulnerable to an attacker who controls an IP, its reverse-DNS entry and has knowledge of a target site's security configuration. With this control and knowledge, the attacker could bypass the target site's host-based authentication and be authorized to perform privileged actions. Condor deployments using host-based authentication that contain no hostnames or use authentication stronger than host-based are not vulnerable.

Red Hat Security Advisory 2012-1169-01 - Condor is a specialized workload management system for compute-intensive jobs. It provides a job queuing mechanism, scheduling policy, priority scheme, and resource monitoring and management. Condor installations that rely solely upon host-based authentication were vulnerable to an attacker who controls an IP, its reverse-DNS entry and has knowledge of a target site's security configuration. With this control and knowledge, the attacker could bypass the target site's host-based authentication and be authorized to perform privileged actions. Condor deployments using host-based authentication that contain no hostnames or use authentication stronger than host-based are not vulnerable.

Red Hat Security Advisory 2012-1169-01 - Condor is a specialized workload management system for compute-intensive jobs. It provides a job queuing mechanism, scheduling policy, priority scheme, and resource monitoring and management. Condor installations that rely solely upon host-based authentication were vulnerable to an attacker who controls an IP, its reverse-DNS entry and has knowledge of a target site's security configuration. With this control and knowledge, the attacker could bypass the target site's host-based authentication and be authorized to perform privileged actions. Condor deployments using host-based authentication that contain no hostnames or use authentication stronger than host-based are not vulnerable.

Red Hat Security Advisory 2012-1156-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. An integer overflow flaw was found in the i915_gem_execbuffer2() function in the Intel i915 driver in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service. This issue only affected 32-bit systems. A missing initialization flaw was found in the sco_sock_getsockopt_old() function in the Linux kernel's Bluetooth implementation. A local, unprivileged user could use this flaw to cause an information leak.

Red Hat Security Advisory 2012-1156-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. An integer overflow flaw was found in the i915_gem_execbuffer2() function in the Intel i915 driver in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service. This issue only affected 32-bit systems. A missing initialization flaw was found in the sco_sock_getsockopt_old() function in the Linux kernel's Bluetooth implementation. A local, unprivileged user could use this flaw to cause an information leak.

Red Hat Security Advisory 2012-1156-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. An integer overflow flaw was found in the i915_gem_execbuffer2() function in the Intel i915 driver in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service. This issue only affected 32-bit systems. A missing initialization flaw was found in the sco_sock_getsockopt_old() function in the Linux kernel's Bluetooth implementation. A local, unprivileged user could use this flaw to cause an information leak.

Red Hat Security Advisory 2012-1168-01 - Condor is a specialized workload management system for compute-intensive jobs. It provides a job queuing mechanism, scheduling policy, priority scheme, and resource monitoring and management. Condor installations that rely solely upon host-based authentication were vulnerable to an attacker who controls an IP, its reverse-DNS entry and has knowledge of a target site's security configuration. With this control and knowledge, the attacker could bypass the target site's host-based authentication and be authorized to perform privileged actions. Condor deployments using host-based authentication that contain no hostnames or use authentication stronger than host-based are not vulnerable.

Red Hat Security Advisory 2012-1168-01 - Condor is a specialized workload management system for compute-intensive jobs. It provides a job queuing mechanism, scheduling policy, priority scheme, and resource monitoring and management. Condor installations that rely solely upon host-based authentication were vulnerable to an attacker who controls an IP, its reverse-DNS entry and has knowledge of a target site's security configuration. With this control and knowledge, the attacker could bypass the target site's host-based authentication and be authorized to perform privileged actions. Condor deployments using host-based authentication that contain no hostnames or use authentication stronger than host-based are not vulnerable.

Red Hat Security Advisory 2012-1168-01 - Condor is a specialized workload management system for compute-intensive jobs. It provides a job queuing mechanism, scheduling policy, priority scheme, and resource monitoring and management. Condor installations that rely solely upon host-based authentication were vulnerable to an attacker who controls an IP, its reverse-DNS entry and has knowledge of a target site's security configuration. With this control and knowledge, the attacker could bypass the target site's host-based authentication and be authorized to perform privileged actions. Condor deployments using host-based authentication that contain no hostnames or use authentication stronger than host-based are not vulnerable.

[Brane] built an underwater ROV from LEGO mindstorm parts. Look closely at this image and you should notice something missing. The tether that normally carries power and control lines from an ROV to the surface is missing. This is a wireless solution that lets him control the device using an Xbox controller. The video after [...]

We see a lot of projects related to Conway’s Game of Life, but this one is Hasbro’s Game of Life. The board game company recently commissioned a giant game spinner as part of a museum exhibit. Here’s the build log that shows how it was pulled off. The first thing to note is that [Jzzsxm] [...]

Only 80s kids will get this: remember when computers had built-in keyboards, like the Apple II line, or the Commodore 64? That’s a form factor duplicated by case modders many times over the years, but [preamp]‘s project is the first time its been done using a Raspi (German, Google translation). For his build, [preamp] used what [...]

Ah, chiptunes. One of the few remaining human endeavours where less RAM, less storage space, and fewer capabilities are actually considered an improvement. [dop3joe] over at the Stuttgart hackerspace Shackspace sent in a tiny chiptune playing circuit using the most bare-bones hardware we’ve ever seen. The Noiseplug, as [dop3joe] calls it, is based on a very, very [...]

There’s a lot of cool stuff brewing on the Hackaday forums. [igor_b] posted a project he’s been working on that uses a servo, motor, wine glass, and a balloon to create a one-glass armonica. A glass harmonica is a series of nested bowls turned on a spindle that is played by running your finger along the rims [...]

[Michael] built his own clone of the popular MaKey MaKey Kickstarter project. His implementation uses an ATMega328 and the V-USB stack to connect as a USB Human Interface Device. He was showing it off at Toorcamp wired up to a banana piano, which captured the interest of kids and adults alike. The digital inputs are [...]

Group-Office 4.0.71 was found to display a behaviour that could potentially
expose a user's username and cleartext password to third-parties. Under
certain circumstances the application would return two cookies, one
containing the user's username and...

TCExam 11.3.007 is subject to a cross-site scripting vulnerability. A
'question_subject_id' parameter is not sufficiently sanitised before being
written to the tce_edit_answer.php page. An attacker could distribute a
malicious URL to specific users as part of a spear-phishing campaign. Users
following the link...

The open source version of Total Shop UK eCommerce based on CodeIgniter
version 2.1.2 is subject to a cross-site scripting vulnerability. The value
of a generic parameter was not sufficiently sanitised before being written
to a block of Javascript code. An...

The art of taking long exposure photographs with blinking RGB LEDs has improved greatly over the years, mostly due to the extremely easy to use Arduino and hundreds of tutorials on the web. If there’s one problem with light painting with a ‘duino, it’s that large, full color images take up a ton of storage [...]

NeoInvoice is a multi-tenant open source invoicing system, that
currently contains an unauthenticated blind SQL injection condition in
signup_check.php. The input for the value field isn't being properly
sanitized, and is used in string concatenation to create the SQL
query.

First, winsxs is Microsoft's Windows file repository. Every part of
Windows is splitted into components and packages. Every package will be
copied into the winsxs folder.

But the content of the winsxs folder doesn't represent the currently
installed features. So for example you could have the IIS package in
winsxs, but IIS isn't currently installed on your system.
But if you would install...

Fresh off the 72-hour madness of the Red Bull Creation contest some of the folks a North Street Labs took on a stage lighting project. It’s for a local performing venue that just opened up, and despite the time crunch the team pulled off another great build. Sixteen meters of LED strip make the electronics [...]

TCExam 11.3.007 is prone to a SQL injection flaw located in
tce_edit_answer.php and tce_edit_question.php. These files pass a
'subject_module_id' parameter into a SQL statement without satisfactory
sanitisation. An attacker with authoring permissions could leverage this
vulnerability to take full control of the database.

[Jim] has an old Android phone he’d like to use as a Robot brain. It’s got a lot of the things you’d want in a robot platform; WiFi, Bluetooth, a camera, an accelerometer, etc. But he needed some way to make the mobile, mobile. What he came up with is a chassis with servos that [...]

----------------------------------------------
*GreHack 2012* LAST Call For Papers .. till 15th August 2012.
----------------------------------------------http://grehack.org GreHack 2012 conference will take place in Grenoble
(Alps), France on October 19th-20th 2012 and brings together students,
academia, industry and government to exchange knowledge around
emerging issues in the security + hacking world. During the night, a
Capture The Flag...

This is the MC Hawking robot built by the Noisebridge hackerspace in San Francisco. It’s a robotic electric wheelchair outfitted with a PC, an XBox Kinect, and an Arduino. On the software side, it uses Ubuntu and the open source ROS platform. A few folks from Noisebridge were hacking away on the robot at Toorcamp to [...]

Debut of Offensive Techniques:We have completely overhauled our Tactical Exploitation class for Blackhat, and are now getting ready to debut a new course at Countermeasure 2012 (http://www.countermeasure2012.com/) titled Offensive Techniques (http://www.countermeasure2012.com/training-ot.html)

Offensive Techniques is designed to show students how to truly conduct offensive cyber operations on networks. In our current day of "APT" and targeted attacks, companies often don't understand how they are vulnerable to these types of attacks. Targeted attacks can be carried off by individuals as well as nation states and Offensive Techniques is designed to teach students how to really conduct these types of operations. We increasingly see many "pen-testing" shops disappoint a customer with a report about how many shells they got, but not how vulnerable their business is from someone actually coming after them in a targeted manner.The class is designed to work a student through compromising a fully operational enterprise Windows and Unix network with techniques perfected by Attack Research.We will be releasing more courses in the near future ranging from secure system administration to offensive and defensive classes. If you are interested in Offensive Techniques or other courses drop us a line at training@attackresearch.com

Debut of Offensive Techniques:We have completely overhauled our Tactical Exploitation class for Blackhat, and are now getting ready to debut a new course at Countermeasure 2012 (http://www.countermeasure2012.com/) titled Offensive Techniques (http://www.countermeasure2012.com/training-ot.html)

Offensive Techniques is designed to show students how to truly conduct offensive cyber operations on networks. In our current day of "APT" and targeted attacks, companies often don't understand how they are vulnerable to these types of attacks. Targeted attacks can be carried off by individuals as well as nation states and Offensive Techniques is designed to teach students how to really conduct these types of operations. We increasingly see many "pen-testing" shops disappoint a customer with a report about how many shells they got, but not how vulnerable their business is from someone actually coming after them in a targeted manner.The class is designed to work a student through compromising a fully operational enterprise Windows and Unix network with techniques perfected by Attack Research.We will be releasing more courses in the near future ranging from secure system administration to offensive and defensive classes. If you are interested in Offensive Techniques or other courses drop us a line at training@attackresearch.com

If you find yourself in need of a driver for a high power string of LEDs this is a must read. [Limpkin] just designed this driver as a contract job. He can’t show us the schematic, but he did share some tips on how to build an LED driver around a MAX16834 chip. As you move [...]

Toorcamp is all wrapped up after four great days of talks, hacking, and parties. Located in Neah Bay, Washington, Toorcamp was a four day event modelled after European hacker camps. This is the second time Toorcamp has been run, and it’s clear that both the organizers and attendees know how to throw an awesome stateside [...]

The USB ports on this work station are locked. In order to use a USB device you’ll need to insert a Smartcard into the reader seen above. The interesting thing here is that this shouldn’t affect your ability to charge a USB device. When you visit the link above make sure to check out the [...]

We understand where [Craig] is coming from, leaving no stone unturned when looking for new electronic projects to occupy his time. He tried to convince his wife that they needed a light show to accompany dinner, and while she was skeptical he went ahead and built this remote control RGB chandelier anyway. He recently purchased [...]